Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Issue7476 #7781

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

Issue7476 #7781

wants to merge 11 commits into from

Conversation

@makrinaemad
Copy link

@makrinaemad makrinaemad commented Jun 19, 2025
edited
Loading

Description

Fix(tls): Send TLS close_notify .

Mitmproxy's TLS layer previously did not send a close_notify alert
when closing TLS connections,
which led to "unexpected EOF while reading" errors in strict clients such as openssl s_client .

This commit fixes the issue by explicitly sending a close_notifyrecord.
This ensures that TLS sessions are terminated cleanly.

Fixes: #7476

Checklist

  • I have updated tests where applicable.
  • I have added an entry to the CHANGELOG.

errorxyz
errorxyz approved these changes Jul 21, 2025
View reviewed changes
Copy link
Member

@errorxyz errorxyz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@errorxyz
Copy link
Member

Shouldn't we handle the close_notify here as well?

mitmproxy/mitmproxy/proxy/layers/tls.py

Line 455 in a4d794c

except (SSL.ZeroReturnError, SSL.SysCallError):

@makrinaemad
Copy link
Author

Thank you for the review, @errorxyz!

I don’t think close_notify should be handled within the send_data() context. This block (except (SSL.ZeroReturnError, SSL.SysCallError)) is meant to catch cases where the peer unexpectedly closes the connection or a transmission error occurs.

Since send_data() is part of the active write phase, inserting a close_notify alert here would violate the TLS state machine — alerts must only be sent after the final successful SSL_write, as per RFC 8446.

In TLS 1.3, it is valid for the peer not to send a close_notify. We detect that on the read side via SSL.ZeroReturnError, and the recent changes explicitly track this in self.peer_sent_close_notify. If no alert is received, we synthesize one during send_close() to maintain spec compliance. So, I think no additional handling is needed in send_data().

@errorxyz
Copy link
Member

alerts must only be sent after the final successful SSL_write, as per RFC 8446.

I can't seem to find this specified in the RFC. Can you please provide a reference?

Also, as per section 6.1,

Note that this is a change from versions of TLS prior to TLS 1.3 in
which implementations were required to react to a "close_notify" by
discarding pending writes and sending an immediate "close_notify"
alert of their own.

we should be immediately sending a close_notify for TLS < 1.3.

@makrinaemad makrinaemad force-pushed the issue7476 branch 2 times, most recently from f5924b4 to 6b1ea20 Compare July 27, 2025 22:26
@makrinaemad
Copy link
Author

Yes, you're right, thanks @errorxyz !

Updated: we now handle close_notify on ZeroReturnError in the send_data function for TLS < 1.3.

@errorxyz errorxyz requested a review from mhils October 3, 2025 13:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@errorxyz errorxyz errorxyz approved these changes

@mhils mhils Awaiting requested review from mhils

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

TLS mitmproxy error: 00D020E001000000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl/record/rec_layer_s3.c:323:

2 participants

@makrinaemad @errorxyz